Analysis
-
max time kernel
33s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7aa34f320361f47db27e5d63fa4e5f7d8ef9207ff30040e4430f6a0a46afa8dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
c7aa34f320361f47db27e5d63fa4e5f7d8ef9207ff30040e4430f6a0a46afa8dN.dll
-
Size
120KB
-
MD5
30333a8f701ac7bdb3a91cff2b286fd0
-
SHA1
a85e30cf7c2e21c7c73c6fea3f978c545c3008c5
-
SHA256
c7aa34f320361f47db27e5d63fa4e5f7d8ef9207ff30040e4430f6a0a46afa8d
-
SHA512
de2c1b6d73bc114594b6c51659ad5c17ddcc7e51db22b50ee635498a0bcb244be8428aabc777db6e9fa15d4026729e59ef97695e216abd1012ffe7b8640317fb
-
SSDEEP
3072:XIYyYgmQuQOHtX0jyTu++/7/496nYlYHV:XjdQjONt+DzGe
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57af99.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57af99.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e3f7.exe -
Executes dropped EXE 3 IoCs
pid Process 1828 e57af99.exe 960 e57b12f.exe 2000 e57e3f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e3f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57af99.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e3f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57af99.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57e3f7.exe File opened (read-only) \??\E: e57af99.exe File opened (read-only) \??\G: e57af99.exe File opened (read-only) \??\H: e57af99.exe File opened (read-only) \??\I: e57af99.exe File opened (read-only) \??\J: e57af99.exe File opened (read-only) \??\K: e57af99.exe File opened (read-only) \??\E: e57e3f7.exe -
resource yara_rule behavioral2/memory/1828-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-20-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-52-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-55-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-56-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1828-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2000-86-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2000-88-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2000-92-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2000-90-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2000-89-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2000-132-0x0000000000810000-0x00000000018CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b026 e57af99.exe File opened for modification C:\Windows\SYSTEM.INI e57af99.exe File created C:\Windows\e580b55 e57e3f7.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57af99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b12f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e3f7.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1828 e57af99.exe 1828 e57af99.exe 1828 e57af99.exe 1828 e57af99.exe 2000 e57e3f7.exe 2000 e57e3f7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe Token: SeDebugPrivilege 1828 e57af99.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4636 wrote to memory of 388 4636 rundll32.exe 83 PID 4636 wrote to memory of 388 4636 rundll32.exe 83 PID 4636 wrote to memory of 388 4636 rundll32.exe 83 PID 388 wrote to memory of 1828 388 rundll32.exe 84 PID 388 wrote to memory of 1828 388 rundll32.exe 84 PID 388 wrote to memory of 1828 388 rundll32.exe 84 PID 1828 wrote to memory of 776 1828 e57af99.exe 8 PID 1828 wrote to memory of 780 1828 e57af99.exe 9 PID 1828 wrote to memory of 332 1828 e57af99.exe 13 PID 1828 wrote to memory of 2608 1828 e57af99.exe 44 PID 1828 wrote to memory of 2628 1828 e57af99.exe 45 PID 1828 wrote to memory of 2132 1828 e57af99.exe 51 PID 1828 wrote to memory of 3468 1828 e57af99.exe 56 PID 1828 wrote to memory of 3596 1828 e57af99.exe 57 PID 1828 wrote to memory of 3776 1828 e57af99.exe 58 PID 1828 wrote to memory of 3868 1828 e57af99.exe 59 PID 1828 wrote to memory of 3964 1828 e57af99.exe 60 PID 1828 wrote to memory of 4040 1828 e57af99.exe 61 PID 1828 wrote to memory of 60 1828 e57af99.exe 62 PID 1828 wrote to memory of 1396 1828 e57af99.exe 75 PID 1828 wrote to memory of 4476 1828 e57af99.exe 76 PID 1828 wrote to memory of 2696 1828 e57af99.exe 77 PID 1828 wrote to memory of 4636 1828 e57af99.exe 82 PID 1828 wrote to memory of 388 1828 e57af99.exe 83 PID 1828 wrote to memory of 388 1828 e57af99.exe 83 PID 388 wrote to memory of 960 388 rundll32.exe 85 PID 388 wrote to memory of 960 388 rundll32.exe 85 PID 388 wrote to memory of 960 388 rundll32.exe 85 PID 1828 wrote to memory of 776 1828 e57af99.exe 8 PID 1828 wrote to memory of 780 1828 e57af99.exe 9 PID 1828 wrote to memory of 332 1828 e57af99.exe 13 PID 1828 wrote to memory of 2608 1828 e57af99.exe 44 PID 1828 wrote to memory of 2628 1828 e57af99.exe 45 PID 1828 wrote to memory of 2132 1828 e57af99.exe 51 PID 1828 wrote to memory of 3468 1828 e57af99.exe 56 PID 1828 wrote to memory of 3596 1828 e57af99.exe 57 PID 1828 wrote to memory of 3776 1828 e57af99.exe 58 PID 1828 wrote to memory of 3868 1828 e57af99.exe 59 PID 1828 wrote to memory of 3964 1828 e57af99.exe 60 PID 1828 wrote to memory of 4040 1828 e57af99.exe 61 PID 1828 wrote to memory of 60 1828 e57af99.exe 62 PID 1828 wrote to memory of 1396 1828 e57af99.exe 75 PID 1828 wrote to memory of 4476 1828 e57af99.exe 76 PID 1828 wrote to memory of 2696 1828 e57af99.exe 77 PID 1828 wrote to memory of 4636 1828 e57af99.exe 82 PID 1828 wrote to memory of 960 1828 e57af99.exe 85 PID 1828 wrote to memory of 960 1828 e57af99.exe 85 PID 388 wrote to memory of 2000 388 rundll32.exe 86 PID 388 wrote to memory of 2000 388 rundll32.exe 86 PID 388 wrote to memory of 2000 388 rundll32.exe 86 PID 2000 wrote to memory of 776 2000 e57e3f7.exe 8 PID 2000 wrote to memory of 780 2000 e57e3f7.exe 9 PID 2000 wrote to memory of 332 2000 e57e3f7.exe 13 PID 2000 wrote to memory of 2608 2000 e57e3f7.exe 44 PID 2000 wrote to memory of 2628 2000 e57e3f7.exe 45 PID 2000 wrote to memory of 2132 2000 e57e3f7.exe 51 PID 2000 wrote to memory of 3468 2000 e57e3f7.exe 56 PID 2000 wrote to memory of 3596 2000 e57e3f7.exe 57 PID 2000 wrote to memory of 3776 2000 e57e3f7.exe 58 PID 2000 wrote to memory of 3868 2000 e57e3f7.exe 59 PID 2000 wrote to memory of 3964 2000 e57e3f7.exe 60 PID 2000 wrote to memory of 4040 2000 e57e3f7.exe 61 PID 2000 wrote to memory of 60 2000 e57e3f7.exe 62 PID 2000 wrote to memory of 1396 2000 e57e3f7.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e3f7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2628
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7aa34f320361f47db27e5d63fa4e5f7d8ef9207ff30040e4430f6a0a46afa8dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7aa34f320361f47db27e5d63fa4e5f7d8ef9207ff30040e4430f6a0a46afa8dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\e57af99.exeC:\Users\Admin\AppData\Local\Temp\e57af99.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\e57b12f.exeC:\Users\Admin\AppData\Local\Temp\e57b12f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\e57e3f7.exeC:\Users\Admin\AppData\Local\Temp\e57e3f7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:60
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58f06f1f0b26a14e9640d45710e1d8638
SHA1696642a7cc0164ae5d5abf6f9e2bf249a1880d0e
SHA256ec647facf413f15fd7e799258b882cbbc8608af986dc12fa722c02d44ea2249e
SHA512eba2663770ebda6b69c23230f26cf64b22b2f4598dae0d4d73c9c8b81d9b8dc92fe9b29dcbcf49f934bb92cb6a0abeed31b41bdd11c290fb1c06219b49587d86
-
Filesize
257B
MD54d20ce056d1ee8f1d6bd4b9ba6348cee
SHA1495d60a85c69aa9f561f28220d40278beaa3283e
SHA2565e111a0b5c2dfa4aa575bac4aca7174288512d99e26bff7cc724ff71af830633
SHA51240b67a4bcb94efff46fd76ede9c672cb0cbc721e1394f61d1f188bdb3dc3dfaf4ef6def006b932c9c44cd9e53a8abde393d06ba4ed4547621910c814cc744522